I spy, with my little eye, a winged horse
April 18, 2022 11:01 AM Subscribe
The preeminent Ronan Farrow on NSO Group's Pegasus spyware, a campaign against Catalan civil society, and "the inside story of the world’s most notorious commercial spyware and the big tech companies waging war against it". Technical research and reporting from the University of Toronto's Citizen Lab accompanies the New Yorker article. They also found evidence of UK government targets, including Downing Street.
Previously in the NSO Group saga:
Previously in the NSO Group saga:
- The WhatsApp exploit
- The Guardian's Pegasus project FPP
- Google's Project Zero on NSO's iMessage exploit
The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs & Public Policy, University of Toronto, focusing on research, development, and high-level strategic policy and legal engagement at the intersection of information and communication technologies, human rights, and global security.
We use a “mixed methods” approach to research combining practices from political science, law, computer science, and area studies. Our research includes: investigating digital espionage against civil society, documenting Internet filtering and other technologies and practices that impact freedom of expression online, analyzing privacy, security, and information controls of popular applications, and examining transparency and accountability mechanisms relevant to the relationship between corporations and state agencies regarding personal data and other surveillance activities.
Good article and worth reading, but I think it makes too much of a big deal out of NSO Group in particular.
NSO Group builds toolkits that make vulnerabilities easier to exploit and use, but I strongly suspect they are not the actual discoverers of most underlying vulnerabilities themselves, including the ones used to compromise devices and inject NSO Group software. They are, in the scheme of the entire industry, pretty replaceable.
Getting rid of hired guns like NSO might raise the bar somewhat on cyber attacks, and at least put them out of reach of low-tier governments and some law enforcement agencies. Maybe that's a plus.
But bigger players, like the intelligence agencies of well-resourced states like the US, China, Israel, and most of the EU, are more than capable of doing in-house what NSO does. From various leaks and disclosures, it's known that NSA has similar tools. There are also commercial packages available on the shady side of the Internet from various criminal organizations that purport to do the same stuff.
Within the industry, NSO's software is a "stage 2" package; it's the payload that you deliver using a "stage 1" exploit, and it's the stage 1 that actually takes advantage of a vulnerability.
There's a whole international marketplace for vulnerabilities, and companies (and, one presumes, organizations within the government space) dedicated to finding them and passing them along the chain. I've been told that a zero-day no-click vulnerability for a recent version of iOS can fetch several million dollars on the illicit market, and that doesn't seem implausible. And once the vulnerability gets used, its value goes down until eventually it trickles into the freebie world of script kiddies and scammers targeting unpatched devices en masse.
There's no good or easy solution. I'm of the mind that there may not be a solution, at least with technology taking the form that it does today. My suspicion is that the FSB probably doesn't use a lot of computers internally, and they may be on to something.
posted by Kadin2048 at 3:15 PM on April 18, 2022
NSO Group builds toolkits that make vulnerabilities easier to exploit and use, but I strongly suspect they are not the actual discoverers of most underlying vulnerabilities themselves, including the ones used to compromise devices and inject NSO Group software. They are, in the scheme of the entire industry, pretty replaceable.
Getting rid of hired guns like NSO might raise the bar somewhat on cyber attacks, and at least put them out of reach of low-tier governments and some law enforcement agencies. Maybe that's a plus.
But bigger players, like the intelligence agencies of well-resourced states like the US, China, Israel, and most of the EU, are more than capable of doing in-house what NSO does. From various leaks and disclosures, it's known that NSA has similar tools. There are also commercial packages available on the shady side of the Internet from various criminal organizations that purport to do the same stuff.
Within the industry, NSO's software is a "stage 2" package; it's the payload that you deliver using a "stage 1" exploit, and it's the stage 1 that actually takes advantage of a vulnerability.
There's a whole international marketplace for vulnerabilities, and companies (and, one presumes, organizations within the government space) dedicated to finding them and passing them along the chain. I've been told that a zero-day no-click vulnerability for a recent version of iOS can fetch several million dollars on the illicit market, and that doesn't seem implausible. And once the vulnerability gets used, its value goes down until eventually it trickles into the freebie world of script kiddies and scammers targeting unpatched devices en masse.
There's no good or easy solution. I'm of the mind that there may not be a solution, at least with technology taking the form that it does today. My suspicion is that the FSB probably doesn't use a lot of computers internally, and they may be on to something.
posted by Kadin2048 at 3:15 PM on April 18, 2022
The Catalan case sounds legally like one of the more lawful imaginable uses of NSO's spyware, because (IIRC) the Spanish courts have ruled that there is no legitimate path to Catalan secession, and thus any independence movement is legally a seditious conspiracy rather than a legitimate group.
posted by acb at 3:25 PM on April 18, 2022
posted by acb at 3:25 PM on April 18, 2022
Yes, the framing of that first paragraph is just awful. What if it was written...
Today, a majority of Catalan parliamentarians, but not a majority of Catalans, support independence for the region, which the Spanish government, and the local Catalan government, has deemed unconstitutional. In 2017, as Catalonia prepared for an illegal referendum on independence, Spanish police arrested at least twelve separatist politicians. On the day of the referendum, which received the support of ninety per cent of voters despite low turnout and a boycott by all but pro-independence parties, police raids of polling stations injured hundreds of civilians who voted despite being repeatedly told it was an illegal referendum, and who used their children as human shields, attacked police, and rioted in the streets. Leaders of the illegal independence movement, some of whom live in exile across Europe, now meet in private and communicate through encrypted messaging platforms.
I have no dog in this fight, but framed like that it makes it seem like the Spanish government (or whoever may or may not have been monitoring phones) was resisting an illegal secession movement rather than oppressing innocent citizens. I can't imagine that there's any government anywhere that doesn't keep a close eye on it's more radical citizens, let's not pretend it is just Spain, or that it's a shocking revelation that governments do this.
posted by conifer at 5:18 PM on April 18, 2022
Today, a majority of Catalan parliamentarians, but not a majority of Catalans, support independence for the region, which the Spanish government, and the local Catalan government, has deemed unconstitutional. In 2017, as Catalonia prepared for an illegal referendum on independence, Spanish police arrested at least twelve separatist politicians. On the day of the referendum, which received the support of ninety per cent of voters despite low turnout and a boycott by all but pro-independence parties, police raids of polling stations injured hundreds of civilians who voted despite being repeatedly told it was an illegal referendum, and who used their children as human shields, attacked police, and rioted in the streets. Leaders of the illegal independence movement, some of whom live in exile across Europe, now meet in private and communicate through encrypted messaging platforms.
I have no dog in this fight, but framed like that it makes it seem like the Spanish government (or whoever may or may not have been monitoring phones) was resisting an illegal secession movement rather than oppressing innocent citizens. I can't imagine that there's any government anywhere that doesn't keep a close eye on it's more radical citizens, let's not pretend it is just Spain, or that it's a shocking revelation that governments do this.
posted by conifer at 5:18 PM on April 18, 2022
Although this section doesn't seem entirely germane to the rest of the article... I just find it so grotesquely amusing:
On December 20, 2019, Joe Mornin, an associate at Cooley L.L.P., a Palo Alto law firm that was representing WhatsApp in its suit against NSO, received an e-mail from a woman who identified herself as Linnea Nilsson, a producer at a Stockholm-based company developing a documentary series on cybersecurity. Nilsson was cagey about her identity but so eager to meet Mornin that she bought him a first-class plane ticket from San Francisco to New York. The ticket was paid for in cash, through World Express Travel, an agency that specialized in trips to Israel. Mornin never used the ticket. A Web site for the documentary company, populated with photos from elsewhere on the Internet, soon disappeared. So did a LinkedIn profile for Nilsson.
Several months later, a woman claiming to be Anastasia Chistyakova, a Moscow-based trustee for a wealthy individual, contacted Travis LeBlanc, a Cooley partner working on the WhatsApp case, seeking legal advice. The woman sent voice-mail, e-mail, Facebook, and LinkedIn messages. Mornin identified her voice as belonging to Nilsson, and the law firm later concluded that her e-mail had come from the same block of I.P. addresses as those sent by Nilsson. The lawyers reported the incidents to the Department of Justice.
So was this hackish attempt at hacking the lawyers lining up a case against NSO in earnest or just a shot across their bows? If I'm giving them (NSO) credit it's more likely an implication of a covert threat to the Cooley lawyers that's underlying the overt amateur hour nonsense.
If I'm not giving them credit however, jesus. who knows. are the black cube pseudo spooks getting high on their own supply or otherwise not recognizing how galvanized everyone is against attempts aimed at people like them, and then they do something like this? or if not the general populace, then AT LEAST THE LAWYERS THAT ARE GOING TO ARGUE AGAINST YOUR SPYWARE COMPANY IN COURT?
tl:dr
This may be a step towards me accepting 'our dumb future' but my first instinct on reading this was that, yeah of course the company that spies on individuals on behalf of entities with enough money is going to try to spy on the lawyers that are taking it to court to stop the company from doing just that.
posted by Cold Lurkey at 5:30 PM on April 18, 2022
On December 20, 2019, Joe Mornin, an associate at Cooley L.L.P., a Palo Alto law firm that was representing WhatsApp in its suit against NSO, received an e-mail from a woman who identified herself as Linnea Nilsson, a producer at a Stockholm-based company developing a documentary series on cybersecurity. Nilsson was cagey about her identity but so eager to meet Mornin that she bought him a first-class plane ticket from San Francisco to New York. The ticket was paid for in cash, through World Express Travel, an agency that specialized in trips to Israel. Mornin never used the ticket. A Web site for the documentary company, populated with photos from elsewhere on the Internet, soon disappeared. So did a LinkedIn profile for Nilsson.
Several months later, a woman claiming to be Anastasia Chistyakova, a Moscow-based trustee for a wealthy individual, contacted Travis LeBlanc, a Cooley partner working on the WhatsApp case, seeking legal advice. The woman sent voice-mail, e-mail, Facebook, and LinkedIn messages. Mornin identified her voice as belonging to Nilsson, and the law firm later concluded that her e-mail had come from the same block of I.P. addresses as those sent by Nilsson. The lawyers reported the incidents to the Department of Justice.
So was this hackish attempt at hacking the lawyers lining up a case against NSO in earnest or just a shot across their bows? If I'm giving them (NSO) credit it's more likely an implication of a covert threat to the Cooley lawyers that's underlying the overt amateur hour nonsense.
If I'm not giving them credit however, jesus. who knows. are the black cube pseudo spooks getting high on their own supply or otherwise not recognizing how galvanized everyone is against attempts aimed at people like them, and then they do something like this? or if not the general populace, then AT LEAST THE LAWYERS THAT ARE GOING TO ARGUE AGAINST YOUR SPYWARE COMPANY IN COURT?
tl:dr
This may be a step towards me accepting 'our dumb future' but my first instinct on reading this was that, yeah of course the company that spies on individuals on behalf of entities with enough money is going to try to spy on the lawyers that are taking it to court to stop the company from doing just that.
posted by Cold Lurkey at 5:30 PM on April 18, 2022
> The Catalan case sounds legally like one of the more lawful imaginable uses of NSO's spyware, because (IIRC) the Spanish courts have ruled that there is no legitimate path to Catalan secession, and thus any independence movement is legally a seditious conspiracy rather than a legitimate group.
> I have no dog in this fight
As a Spaniard who tries to believe in the rule of law, I do have a dog in this fight. I'm in fact opposed to the independentist "procés", and I agree with acb's and conifer's reframing. However, the important point here is not who was being spied on.
The point of the use of Pegasus to spy on the seditionists is whether these tools were used under orders of a Spanish court, or not.
If not, and Spanish citizens are under surveillance by the CNI without prior judicial approval... then their group is being treated like a foreign government!
Either way, this is old news. Spanish media has run stories about Pegasus and Catalan independentist politicians since at least 2020.
posted by kandinski at 7:25 PM on April 18, 2022 [1 favorite]
> I have no dog in this fight
As a Spaniard who tries to believe in the rule of law, I do have a dog in this fight. I'm in fact opposed to the independentist "procés", and I agree with acb's and conifer's reframing. However, the important point here is not who was being spied on.
The point of the use of Pegasus to spy on the seditionists is whether these tools were used under orders of a Spanish court, or not.
If not, and Spanish citizens are under surveillance by the CNI without prior judicial approval... then their group is being treated like a foreign government!
Either way, this is old news. Spanish media has run stories about Pegasus and Catalan independentist politicians since at least 2020.
posted by kandinski at 7:25 PM on April 18, 2022 [1 favorite]
« Older the plans came “dangerously close to a Holocaust... | “We’ve been fueling this fire for a long time..." Newer »
This thread has been archived and is closed to new comments
posted by drowsy at 1:27 PM on April 18, 2022